SB2025040109 - Multiple vulnerabilities in Apple visionOS
Published: April 1, 2025 Updated: November 12, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 52 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2024-56171)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the xmlSchemaIDCFillNodeTables() and xmlSchemaBubbleIDCNodeTables() functions in xmlschemas.c. A remote attacker can pass specially crafted XML document to the application, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
2) Spoofing attack (CVE-ID: CVE-2025-24113)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in Safari. A remote attacker can trick the victim into visiting a specially crafted website and spoof the page content.
3) NULL pointer dereference (CVE-ID: CVE-2025-27113)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the xmlPatMatch() function in pattern.c. A remote attacker can pass specially crafted XML document to the affected application and perform a denial of service (DoS) attack.
4) Out-of-bounds read (CVE-ID: CVE-2024-48958)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the execute_filter_delta() function in archive_read_support_format_rar.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
5) Out-of-bounds read (CVE-ID: CVE-2025-24230)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in CoreAudio. A remote attacker can create a specially crafted MP4 file, trick the victim into playing it, trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.
6) Buffer overflow (CVE-ID: CVE-2025-24243)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Audio. A remote attacker can create a specially crafted AMR file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) State Issues (CVE-ID: CVE-2025-30430)
The vulnerability allows an attacker to gain unauthorized access to third-party services.
The vulnerability exists in Authentication Services due to software autofill passwords after failing authentication. An attacker with physical access to the system can login to a third-party application using credentials provided by Authentication Services.
8) Security features bypass (CVE-ID: CVE-2025-24180)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists in Authentication Services due to insufficient input validation. A remote attacker can trick the victim into visiting a specially crafted website that is able to claim WebAuthn credentials from another website that shares a registrable suffix.
9) Buffer overflow (CVE-ID: CVE-2025-24237)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in BiometricKit. A local application can trigger a buffer overflow and terminate the system.
10) Path traversal (CVE-ID: CVE-2025-30429)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to input validation error when processing filenames in Calendar. A local application can break out of its sandbox.
11) Input validation error (CVE-ID: CVE-2025-24212)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of untrusted input in Calendar. A local application can break out of its sandbox.
12) Input validation error (CVE-ID: CVE-2025-24163)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in CoreAudio. A remote attacker can trick the victim into opening a specially crafted media file and perform a denial of service (DoS) attack.
13) Out-of-bounds write (CVE-ID: CVE-2025-24211)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in CoreMedia. A remote attacker can create a specially crafted MP4 file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system in the context of the WebKit GPU process.
14) Buffer overflow (CVE-ID: CVE-2025-24190)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in CoreMedia. A remote attacker can create a specially crafted MP4 file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system in the context of the WebKit GPU process.
15) Out-of-bounds read (CVE-ID: CVE-2025-24182)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in CoreText when handling font files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
16) Comparison using wrong factors (CVE-ID: CVE-2024-9681)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to an error in HSTS cache implementation. When curl is asked to use HSTS, the expiry time for a subdomain can overwrite a parent domain's cache entry, making it end sooner or later
than otherwise intended. This can lead to situations when the website becomes unavailable or force the client to switch to HTTP from HTTP connection earlier than intended.
17) Improper access control (CVE-ID: CVE-2025-24221)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in Accounts. Sensitive keychain data may be accessible from an iOS backup.
18) Improper access control (CVE-ID: CVE-2025-30439)
The vulnerability allows an attacker with physical access to the system to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Focus. An attacker with physical access to the system can view sensitive user information.
19) Information exposure through log files (CVE-ID: CVE-2025-24283)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Focus. A local application can access sensitive user data.
20) Information exposure through log files (CVE-ID: CVE-2025-30447)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Foundation. A local application can access sensitive user data.
21) Out-of-bounds read (CVE-ID: CVE-2025-24210)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the CoreGraphics framework. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
22) Out-of-bounds write (CVE-ID: CVE-2025-24257)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to an out-of-bounds write in IOGPUFamily. A local application can cause unexpected system termination or write kernel memory.
23) State Issues (CVE-ID: CVE-2025-30432)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to an state management error in OS kernel. An attacker with physical access to device and having a malicious app installed on the it can attempt passcode entries on a locked device and thereby cause escalating time delays after 4 failures.
24) Improper access control (CVE-ID: CVE-2025-24194)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in libnetcore. A remote attacker can trick the victim into opening a specially crafted file and gain access to sensitive information.
25) Link following (CVE-ID: CVE-2025-31182)
The vulnerability allows a local application to gain delete arbitrary files on the system.
The
vulnerability exists due to insecure symbolic link following in libxpc. A local application can delete files from the system it does not have access to.
26) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2025-30470)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to incorrect handling of path names in Maps. A local application can read sensitive location information.
27) Improper access control (CVE-ID: CVE-2025-30426)
The vulnerability allows a local application to enumerate installed apps on device.
The vulnerability exists due to improper access restrictions in NetworkExtension. A local application can enumerate a user's installed apps.
28) Improper access control (CVE-ID: CVE-2025-24173)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in Power Services. A local application can break out of its sandbox.
29) Improper access control (CVE-ID: CVE-2025-24095)
The vulnerability allows a local application to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in RepairKit. A local application can bypass Privacy preferences.
30) Input validation error (CVE-ID: CVE-2025-30471)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Security component. A remote attacker can pass specially crafted input to the system and perform a denial of service (DoS) attack.
31) Improper access control (CVE-ID: CVE-2025-30438)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to improper access restrictions in Share Sheet. A local application can dismiss the system notification on the Lock Screen that a recording was started.
32) Improper access control (CVE-ID: CVE-2025-30433)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Shortcuts. A local application can access files that are normally inaccessible to the Shortcuts app.
33) Information exposure through log files (CVE-ID: CVE-2025-24214)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Siri. A local application can access sensitive user data.
34) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-31184)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient permissions checks. A remote attacker can trick Safari into gaining unauthorized access to Local Network.
35) Information disclosure (CVE-ID: CVE-2025-24192)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error when handling script imports. A malicious website can gain access to sensitive information.
36) Memory corruption (CVE-ID: CVE-2025-24264)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
37) Memory corruption (CVE-ID: CVE-2025-24216)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
38) Use after free (CVE-ID: CVE-2025-30427)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
39) NULL pointer dereference (CVE-ID: CVE-2025-31202)
The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference in AirPlay. A remote attacker on the local network can perform a denial-of-service attack.
40) Missing authorization (CVE-ID: CVE-2025-24271)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to missing authorization checks in AirPlay. A remote non-authenticated attacker on the same network as a signed-in Mac can send it AirPlay commands without pairing.
41) Information disclosure (CVE-ID: CVE-2025-24270)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in AirPlay. A remote attacker on the local network can gain unauthorized access to sensitive information.
42) Use after free (CVE-ID: CVE-2025-24252)
The vulnerability allows a remote attacker on the local network to compromise the affected system.
The vulnerability exists due to a use-after-free error in AirPlay. A remote attacker on the local network can corrupt process memory.
43) Input validation error (CVE-ID: CVE-2025-24251)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in AirPlay. A remote attacker on the local network can send specially crafted input to the system and perform a denial of service (DoS) attack.
44) Input validation error (CVE-ID: CVE-2025-31197)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in AirPlay. A remote attacker on the local network can send specially crafted input to the system and perform a denial of service (DoS) attack.
45) Improper authentication (CVE-ID: CVE-2025-24206)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to a state issue in AirPlay when handling authentication requests. A remote attacker on the local network can bypass authentication process and gain unauthorized access to the system.
46) Type Confusion (CVE-ID: CVE-2025-30445)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to type confusion error in AirPlay. A remote attacker on the local network can perform a denial of service (DoS) attack.
47) Integer overflow (CVE-ID: CVE-2025-31203)
The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in CoreUtils. A remote attacker on the local network can send specially crafted input to the system, trigger an integer overflow and perform a denial-of-service attack.
48) Improper input validation (CVE-ID: CVE-2025-31196)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in CoreGraphics. A remote attacker can trick the victim into opening a specially crafted file and perform a denial-of-service or potentially disclose memory contents.
49) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2025-31199)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files. A local application can read the log files and gain access to sensitive user data.
50) Security features bypass (CVE-ID: CVE-2025-30466)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect implementation of Same Origin Policy. A remote attacker can trick the victim into visiting a specially crafted website and bypass Same Origin Policy restrictions.
51) Out-of-bounds read (CVE-ID: CVE-2025-43205)
The vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the Audio component. A local application can trigger an out-of-bounds read error and read contents of memory on the system, which can lead to ASLR bypass.
52) Improper access control (CVE-ID: CVE-2025-24203)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in Kernel. A local application can modify protected parts of the file system.
Remediation
Install update from vendor's website.